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TITLE OF THE INVENTION 

ENCRYPTION METHOD , ENCRYPTION APPARATUS , DECRYPTION 
METHOD, AND DECRYPTION APPARATUS 

5 This application is based on an application No. 

11-245277 filed in Japan, the content of which is hereby 
incorporated by reference. 

BACKGROUND OF THE INVENTION 
10 (1) Field of the Invention 

The present invention relates to a cryptographic 
technique that encrypts a plaintext to generate a 
ciphertext and then decrypts the ciphertext to obtain the 
original plaintext. 

15 

(2) Description of the Related Art 

In recent years, it is becoming increasingly common 
to encrypt important information before transmission to 
prevent third parties from knowing its content. More 
20 secure forms of encryption are therefore being sought. 

Japanese Laid-Open Patent Application No. Hll-7239 
teaches a data encryption apparatus that aims to achieve 
more secure encryption. 

This data encryption apparatus divides a plaintext 
25 received from outside into a plurality of plaintext blocks 
and encrypts each plaintext block using key data to 
generate ciphertext blocks. When encrypting the first 
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plaintext block, this data encryption apparatus uses key- 
data obtained from outside the apparatus. For the second 
and following plaintext blocks, the data encryption 
apparatus updates the key data using the ciphertext block 
5 generated when encrypting the preceding plaintext block, 
and encrypts the present plaintext block using this updated 
key data. 

The data encryption apparatus encrypts each 
plaintext block in the following way. The data encryption 

10 apparatus includes a subkey generating unit and first to 
eighth encrypting units. The subkey generating unit uses 
the key data to generate first to eighth subkeys . Each 
of these first to eighth subkeys are different. The first 
encrypting unit generates a first intermediate block from 

15 a plaintext block using the first subkey. The second 
encrypting unit generates a second intermediate block from 
the first intermediate block using the second subkey. The 
third to seventh encrypting units similarly generate third 
to seventh intermediate blocks from the second to sixth 

20 intermediate blocks using the third to seventh subkeys. 
The eighth encrypting unit generates a ciphertext block 
from the seventh intermediate block using the eighth 
subkey. 

Each plaintext block is encrypted using key data that 
25 differs for each plaintext block. This makes it difficult 
to accumulate pairs of plaintexts that have been encrypted 
using the same key and the resulting ciphertexts. As a 
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result, the security of the encryption against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis, is improved. 

However, the subkey generating unit in this data 
encryption apparatus has to generate many different 
subkeys every time a plaintext block is encrypted. This 
has the drawback of lowering the speed of the cryptographic 
processing. 

SUMMARY OF THE INVENTION 

The present invention was conceived in view of the 
stated problem and has an object of providing an encryption 
apparatus that performs cryptographic processing which is 
fast and has a high degree of security against known 
plaintext attacks. The invention also aims to provide an 
encryption method, a decryption apparatus, a decryption 
method, and a recording medium that stores an encryption 
program and/or decryption program, each of which has the 
same effect. 

The stated object can be achieved by an encryption 
method for use by an encryption apparatus that encrypts 
plaintext data composed of a plurality of blocks, the 
encryption method comprising: a block obtaining step for 
obtaining the plaintext data one block at a time in order 
from outside the encryption apparatus; a selecting step 
for selecting either a first mode or a second mode for a 
current block obtained in the block obtaining step 



according to how many blocks have been obtained; a key 
generating step for generating (1) a first group composed 
of a predetermined number n of different subkeys when the 
first mode is selected, and (2) a second group composed 
5 of less than n different subkeys when the second mode is 
selected; and an encrypting step for encrypting the current 
block by subjecting the current block to n conversion 
processes in order, wherein in the first mode, each of the 
n conversion processes is associated with a different 

10 subkey in the first group and is performed using the 

associated subkey, and in the second mode, the n conversion 
processes are associated with subkeys in the second group 
and are each performed using the associated subkey. 

In the stated method, fewer subkeys are generated in 

15 the second mode than in the first mode. This suppresses 
decreases in processing speed caused by the generation of 
subkeys during the encryption of blocks . 

Here, the selecting step may select (i) the first mode 
for blocks whenever a number of blocks that have been 

20 obtained is equal to a multiple of a predetermined value, 
and (ii) the second mode for all other cases. 

In the stated method, the first mode is only selected 
for certain blocks in the plaintext data. The second mode 
is selected for all other blocks. This means that the 

25 second mode is selected more often that the first mode, 
and that the decreases in the cryptographic processing 
speed for the entire plaintext data composed of the blocks 
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can be suppressed. 

Here, the encryption apparatus may include an initial 
value storing means for storing an initial value, the 
encrypting step may encrypt the current block to generate 
5 a ciphertext block having a predetermined length, and 
the key generating step may generate the first group using 
the initial value in the first mode and generate the second 
group using the initial value and the ciphertext block most 
recently generated by the encrypting step in the second 
10 mode . 

In the stated method, each plaintext block is 
encrypted using different key data. This makes it 
difficult for third parties to accumulate pairs of 
plaintexts encrypted using the same key and the resulting 

15 ciphertexts. This increases the security against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis. 

The stated object can be achieved by a decryption 
method for use by a decryption apparatus that decrypts 

20 ciphertext data in ciphertext block units, the decryption 
method including: a block obtaining step for obtaining the 
ciphertext data one ciphertext block at a time in order 
from outside the decryption apparatus; a selecting step 
for selecting either a first mode or a second mode for use 

25 with a current ciphertext block obtained in the block 
obtaining step according to how many ciphertext blocks have 
been obtained; a key generating step for generating 
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(1) a first group composed of a predetermined number n of 
different subkeys when the first mode is selected and 

(2) a second group composed of less than n different subkeys 
when the second mode is selected; and a decrypting step 

5 for decrypting the current ciphertext block by subjecting 
the current ciphertext block to n conversion processes in 
order, wherein in the first mode, each of the n conversion 
processes is associated with a different subkey in the 
first group and is performed using the associated subkey, 

10 and in the second mode, the n conversion processes are 
associated with subkeys in the second group and are each 
performed using the associated subkey. 

In the stated method, fewer subkeys are generated in 
the second mode than in the first mode. This suppresses 

15 decreases in processing speed caused by the generation of 
subkeys during the decryption of ciphertext blocks . 

The stated object can also be achieved by a decryption 
method for use by a decryption apparatus that decrypts 
ciphertext data in ciphertext block units, the decryption 

20 method comprising: a block obtaining step for obtaining 
the ciphertext data one ciphertext block at a time in order 
from outside the decryption apparatus; a selecting step 
for selecting either a first mode or a second mode for use 
with a current ciphertext block obtained in the block 

25 obtaining step according to how many ciphertext blocks have 
been obtained; a key generating step for generating 
(1) a first group composed of a predetermined number n of 
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different subkeys when the first mode is selected and 
(2) a second group composed of less than n different subkeys 
when the second mode is selected; and a decrypting step 
for decrypting the current ciphertext block by subjecting 
5 the current ciphertext block to n conversion processes in 
order, wherein in the first mode, each of the n conversion 
processes is associated with a different subkey in the 
first group and is performed using the associated subkey, 
and in the second mode, the n conversion processes are 
10 associated with subkeys in the second group and are each 
performed using the associated subkey. 

In the stated method, the first mode is only selected 
for certain blocks in the plaintext data. The second mode 
is selected for all other blocks. This means that the 
15 second mode is selected more often that the first mode and 
that the decreases in the decryption processing speed for 
the entire ciphertext data composed of the ciphertext 
blocks can be suppressed. 

Here, the decryption apparatus may include an initial 
20 value storing means for storing an initial value, 

the key generating step generating the first group using 
the initial value in the first mode and generating the 
second group using the initial value and the ciphertext 
block obtained immediately before the current ciphertext 
25 block in the second mode. 

In the stated method, each ciphertext block is 
decrypted using different key data. This makes it 
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difficult for third parties to accumulate pairs of 
plaintexts encrypted using the same key and the resulting 
ciphertexts. This increases the security against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis. 

As described above, the present invention achieves 
a similar level of security to the described conventional 
technology while improving the speed of the cryptographic 
processing. The invention suited to processes such as the 
secret communication of image and other information in real 
time. With the current demand for improvements in 
multimedia technology, this makes the effect of the 
invention especially significant. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and the other objects, advantages and features 
of the invention will become apparent from the following 
description thereof taken in conjunction with the 
accompanying drawings which illustrate a specific 
embodiment of the invention. 

In the drawings : 

FIG. 1 is a block diagram showing the construction 
of an encrypted communication system 5 that is a preferred 
embodiment of the present invention; 

FIG. 2 is a block diagram showing the construction 
of the data encrypting unit 10 in the transmission 
apparatus 1; 



8 



FIG. 3 is a block diagram showing the constructions 
of the encrypting unit 100 and the subkey data generating 
unit 101; 

FIG. 4 is a block diagram showing the construction 
5 of the data randomizing unit 301; 

FIG. 5A and FIG. 5B are conceptual drawings showing 
which of the plurality of sets of subkey data generated 
by the subkey data generating unit 101 is used by each of 
the first to sixteenth encrypting units of the encrypting 
10 unit 100, with FIG. 5A showing the case where the subkey 
data generating type is A and FIG. 5B showing the case where 
the subkey data generating type is B; 

FIG. 6 shows the correspondence between the count 
value, the input key data and the subkey data generating 
15 type; 

FIG. 7 is a block diagram showing the construction 
of the data decrypting unit 20 in the reception apparatus 
2; 

FIG. 8 is a flowchart showing the overall operation 
20 of the transmission apparatus 1; 

FIG. 9 is a flowchart showing the operation of the 
data encrypting unit 10 of the transmission apparatus 1; 

FIG. 10 is a flowchart showing the operation of the 
counter unit 105 in the data encrypting unit 10; 
25 FIG. 11 is a flowchart showing the operation of the 

register unit 104 in the data encrypting unit 10; 

FIG. 12 is a flowchart showing a former part of the 



operation of the subkey data generating unit 101 in the 
data encrypting unit 10; 

FIG. 13 is also a flowchart showing a latter part of 
the operation of the subkey data generating unit 101 in 
5 the data encrypting unit 10; and 

FIG. 14 is a flowchart showing the operation of the 
data randomizing unit 301 in the subkey data generating 
unit 101. 

10 DESCRIPTION OF THE PREFERRED EMBODIMENT 

The following describes an encrypted communication 
system 5 according to a preferred embodiment of the present 
invention . 

15 1. Construction of the Encrypted Communication System 5 

As shown in FIG. 1, the encrypted communication 
system 5 is constructed of a transmission apparatus 1, a 
reception apparatus 2 and a transfer path 3. The transfer 
path 3 connects the transmission apparatus 1 and the 

20 reception apparatus 2. 

The transmission apparatus 1 and the reception 
apparatus 2 are each provided beforehand with the same 
encryption key data EK. The transmission apparatus 1 
encrypts the plaintext data P using the encryption key data 

25 EK to generate the ciphertext data C, and then transmits 
the generated ciphertext data C to the reception apparatus 
2 via the transfer path 3. The reception apparatus 2 
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receives this ciphertext data decrypts the ciphertext 
data C using the encryption key data EK, and so generates 
the decrypted text data D. Here, the decrypting performed 
by the reception apparatus 2 is the inverse of the 
encrypting performed by the transmission apparatus 1, so 
that the decrypted text data D generated by the decrypting 
is the same as the plaintext data P. 

1 . 1 Constructions of the Transmission Apparatus 1 and the 
Reception Apparatus 2 

(1) Construction of the Transmission Apparatus 1 

As shown in FIG. 1, the transmission apparatus 1 is 
constructed of a plaintext data storing unit 12, an 
encryption key data storing unit 13, a data encrypting unit 
10, and a transmitting unit 11. 

The plaintext data storing unit 12 stores the 
plaintext data P beforehand. This plaintext data P is 
digital data that includes at least 64 bits, and can be 
digitally encoded audio or image information, for example. 

The encryption key data storing unit 13 stores 64-bit 
encryption key data EK in advance . The encryption key data 
EK is decided in advance for both the transmission 
apparatus 1 and the reception apparatus 2 . 

The data encrypting unit 10 reads the plaintext data 
P from the plaintext data storing unit 12 and the encryption 
key data EK from the encryption key data storing unit 13. 
The data encrypting unit 10 then encrypts the plaintext 
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data P using the encryption key data EK to generate the 
ciphertext data C. The data encrypting unit 10 outputs 
the resulting ciphertext data C to the transmitting unit 
11. This data encrypting unit 10 is described in detail 
5 later in this specification. 

The transmitting unit 11 receives the ciphertext data 
C, performs a parallel-to-serial on the ciphertext data 
C, and then modulates and amplifies the converted data to 
generate signals. The transmitting unit 11 transmits 
10 these signals via the transfer path 3 to the reception 
apparatus 2 . 

(2) Construction of the Reception Apparatus 2 

As shown in FIG. 1, the reception apparatus 2 is 

15 constructed of a decrypted text data storing unit 22, an 
encryption key data storing unit 23, a data decrypting unit 
20, and a receiving unit 21. 

The receiving unit 21 receives signals transmitted 
by the transmitting unit 11 of the transmission apparatus 

20 1 via the transfer path 3, demodulates the signals, and 
performs a serial-to-parallel conversion to obtain the 
ciphertext data C. The receiving unit 21 outputs this 
ciphertext data C to the data decrypting unit 20. 

The encryption key data storing unit 23 stores 64-bit 

25 encryption key data EK in advance. This encryption key 
data EK is the same as that stored by the encryption key 
data storing unit 13 in the transmission apparatus 1. 
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The data decrypting unit 20 receives the ciphertext 
data C and reads the encryption key data EK from the 
encryption key data storing unit 23. The data decrypting 
unit 20 decrypts the ciphertext data C using the encryption 

5 key data EK to generate the decrypted text data D. The 
data decrypting unit 2 0 writes this decrypted text data 
D into the decrypted text data storing unit 22. The 
decrypting performed by the data decrypting unit 20 is the 
inverse of the encrypting performed by the data encrypting 

10 unit 10. This means that the decrypted text data D is the 
same as the original plaintext data P. This data 
decrypting unit 20 is also described in detail later in 
this specification. 

The decrypted text data storing unit 22 stores the 

15 decrypted text data D. 

1.2 Construction of the Data Encrypting Unit 10 

As shown in FIG. 2, the data encrypting unit 10 is 
constructed of an encrypting unit 100, a subkey data 

20 generating unit 101, a logical XOR unit 102, a data 

converting unit 103, a register unit 104, a counter unit 
105, a subkey data generation control unit 106, a register 
control unit 107, a block dividing unit 108, a block 
combining unit 109, a key obtaining unit 110, and a key 

25 storing unit 111. 
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(1) Block Dividing Unit 108 

The block dividing unit 108 reads the plaintext data 
P from the plaintext data storing unit 12 and divides the 
plaintext data P in block units measured from the start 

5 of the plaintext data P to generate a plurality of plaintext 
blocks Pt (where t=0,l,2 ....)• Each plaintext block Pt 
is 64 bits long. The block dividing unit 108 outputs these 
plaintext blocks Pt sequentially to the encrypting unit 
100. After outputting all of the plaintext blocks Pt, the 

10 block dividing unit 108 outputs information showing that 
output has been completed to the block combining unit 109. 

(2) Key Obtaining Unit 110 

The key obtaining unit 110 reads the encryption key 
15 data EK from the encryption key data storing unit 13 and 
writes the read encryption key data EK into the key storing 
unit 111. 

(3) Key Storing Unit 111 

20 The key storing unit 111 stores the encryption key 

data EK. 

(4) Encrypting Unit 100 

As shown in FIG. 3, the encrypting unit 100 includes 
25 a first encrypting unit 100a, a second encrypting unit 
100b, .... a fifteenth encrypting unit 100c and a sixteenth 
encrypting unit lOOd. 
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The first encrypting unit 100a obtains a plaintext 
block Pt from the block dividing unit 108 and first subkey 
data SKo from the subkey data generating unit 101. The 
first subkey data SKq is 32 bits long. The first encrypting 
5 unit 100a encrypts the obtained plaintext block Pt using 
the first subkey data SKq to generate a first intermediate 
block. The first encrypting unit 100a outputs this first 
intermediate block to the second encrypting unit 100b. 

The encryption performed by the first encrypting unit 

10 100a is the data encryption part of a FEAL (Fast Data 
Encipherment Algorithm) encryption method, which is a 
well-known block encryption technique. 

The second to fifteenth encrypting units 
respectively receive an intermediate block from a 

15 preceding encrypting unit in the first to fourteenth 

encrypting units and second to fifteenth subkey data SKi 
to SKi4 from the subkey data generating unit 101. Each of 
the second to fifteenth sets of subkey data SKi to SK14 is 
32 bits long. The second to fifteenth encrypting units 

20 respectively encrypt the received intermediate block using 
the second to fifteenth subkey data SKi to SK14 to generate 
second to fifteenth intermediate blocks which are 
respectively outputted to the third to sixteenth 
encrypting units. 

25 The sixteenth encrypting unit lOOd obtains the 

fifteenth intermediate block from the fifteenth encrypting 
unit 100c and obtains the sixteenth subkey data SK15 from 
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the subkey data generating unit 101. The sixteenth subkey 
data SKi5 is also 32 bits long. The sixteenth encrypting 
unit lOOd encrypts the obtained intermediate block using 
the sixteenth subkey data SK15 to generate the ciphertext 
5 block Cf 

Equation 7 

Ct = Enc(Pt,SKOt) 

10 

Here, the expression Enc(Pt,SKOt) shows that the 
plaintext block Pt is encrypted using a group SKOt (SKq to 
SK15) of subkey data that has been generated as part of the 
t^^ encrypting process. 
15 The sixteenth encrypting unit lOOd outputs the 

ciphertext block Ct it has generated to the block combining 
unit 109. 

When the generated ciphertext block Ct has been 
outputted to the block combining unit 109, the encrypting 
20 unit 100 outputs information showing that the encryption 
of one plaintext block has been completed to the counter 
unit 105. 

(5) Register Unit 104 
25 The register unit 104 includes regions for storing 

a 64-bit initial value IV and 64-bit stored data ROf The 
value of the stored data ROt is set at the initial value 
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IV in advance . 

The register unit 104 receives the ciphertext block 
Ct from the sixteenth encrypting unit lOOd. 

The register unit 104 receives a control signal from 
the register control unit 107 . When the received control 
signal is "0"and a ciphertext block Ct is received from 
the sixteenth encrypting unit lOOd, the register unit 104 
stores the ciphertext block Ct as the stored data ROf When 
the received control signal is "1", the register unit 104 
reads the initial value IV and stores the initial value 
IV as the stored data ROf 

Putting this another way, suppose that T represents 
a predetermined cycle and that n is 0,1 .... When the 
(T*n)^^ plaintext block Pt (where t=T*n) block is being 
encrypted, the register unit 104 resets the stored value 
ROt using the initial value IV that is set in advance. The 
value "T" is set in advance and is described later in this 
specification. When a plaintext block that is not a (T^n)*^*" 
plaintext block (which is to say a plaintext block Pt where 
t7^T*n) is encrypted, the received ciphertext block Ct is 
stored as the stored data ROt. 



(6) Data Converting Unit 103 

The data converting unit 103 reads the 64-bit stored 
25 data ROt from the register unit 104. When the encrypting 
unit 100 encrypts the t^^ plaintext block Pt, the data 
converting unit 103 reads the 64-bit data ROt shown below. 



17 



Equation 1 



When t^T*k (where k=0,l, ...) 

5 ROt =Ct-i 

Equation 2 

When t=T*k (where k=0,l, -..) 

ROt =IV 

10 

The data converting unit 103 subjects the read stored 
data ROt to a predetermined data conversion f to generate 
SOf 

15 Equation 3 

SOt =f (ROt) 

In this specification, the expression, f (X) 
20 represents the result of subjecting the input data X to 
the predetermined data conversion f . This predetermined 
data conversion f is a 13-bit rotated shift toward the MSB 
(most significant bit) of 64-bit data. 

After this, the data converting unit 103 outputs the 
25 64-bit data SOt that is generated by the conversion to the 
logical XOR unit 102. 
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(7) Logical XOR Unit 102 

The logical XOR unit 102 receives the 64-bit data SOt 
from the data converting unit 103 and reads the encryption 
key data EK from the key storing unit 111. 
5 The logical XOR unit 102 takes an XOR for each bit 

in the 64-bit data SOt and a corresponding bit in the 
encryption key data EK and so generates the 64-bit input 
key data IKOf 

10 Equation 4 

IKOt =SOt(+)EK 

Note that in the above equation, the symbol " ( + ) " is 
used to denote an XOR operation. 
15 The logical XOR unit 102 outputs the input key data 

IKOt it has generated to the subkey data generating unit 
101. 

(8) Subkey Data Generating Unit 101 

20 The subkey data generating unit 101 receives a 

control signal from the subkey data generation control unit 
10 6 and the input key data IKOt from the logical XOR unit 
102. This control signal shows whether or not a (T*n)^'^ 
(where n=0,l, ....) plaintext block is being encrypted. 

25 Such encrypting happens once in every predetermined cycle 
T. In the present example, the predetermined cycle T is 
set at 2^° encryption operations. 
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The subkey data generating unit 101 is capable of two 
(type A and type B) subkey generating processes. The type 
A subkey generating process has a heavy processing load 
while the type B has a light processing load. In accordance 

5 with the received control signal, the subkey data 

generating unit 101 selects one of the two types of subkey 
generating processes and performs the selected process 
using the input key data IKOt to generate sixteen sets of 
32-bit subkey data (i.e., the first to sixteenth first 

10 subkey data SKq to SK15) . 

Equation 5 

When t^T*k(k=0,l, . . .) 

SKOt=KGB (IKOt) 

15 

Here, the expression KGB (X) refers to sixteen sets 
of subkey data generated from the input key data IKOt by 
the type B subkey data generating process. These sixteen 
sets of subkey data are composed of two types of subkey 
20 data . 

Equation 6 

When t=T*k (k=0, 1, . . . ) 

SKOt =KGA(IKOt) 

25 The expression KGA(X) represents the sixteen sets of 

subkey data that are generated by the type A subkey 
generating process. Each of these sixteen sets of subkey 

20 



data is different from the others. 

The subkey data generating unit 101 outputs sixteen 
sets of subkey data SKq to SK15 it has generated to the first 
to sixteenth encrypting units of the encrypting unit 100. 

5 FIG. 6 shows the relationship between the count value 

of the counter unit 105, the input key data received by 
the subkey data generating unit 101, and the type (A or 
B) of subkey generating process used by the subkey data 
generating unit 101 . When the count value is "0", the input 

10 key data is generated using the encryption key data EK and 
the initial value IV, and the type A subkey generating 
process is used. Conversely, when the count value is "1" 
to "2^°-l", the input key data is generated using the 
encryption key data EK and the ciphertext block generated 

15 by the preceding encrypting process, and the type B subkey 
generating process is used. 

As shown in FIG. 3, the subkey data generating unit 
101 is constructed of the data randomizing unit 301, the 
randomized data storing unit 302, and the number of stages 

20 control unit 303. 

(a) Data Randomizing Unit 301 

The data randomizing unit 301 receives 64-bit data 
from the number of stages control unit 303, performs a 
25 predetermined data randomizing process on this data, and 
so generates 32-bit subkey data SK and 64-bit randomized 
data. The data randomizing unit 301 outputs the 32-bit 
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subkey data SK to the randomized data storing unit 302 and 
the generated 64-bit randomized data to the number of 
stages control unit 303. 

As shown in FIG. 4, the data randomizing unit 301 is 
constructed of a separating unit 301a, a logical XOR unit 
301b, a data jumbling unit 301c, and a combining unit 301d. 

Separating Unit 301a 

The separating unit 301a receives 64-bit data from 
the number of stages control unit 303 and separates this 
data into the upper 32 bits (hereafter called "data Al") 
and the lower 32 bits (hereafter called "data AO") . The 
separating unit 301a outputs the data Al to the logical 
XOR unit 301b and the data jumbling unit 301c, and the data 
AO to the combining unit 301d and the data jumbling unit 
301c. 

Data Jumbling Unit 301c 

The data jumbling unit 301c receives the data AO and 
the data Al from the separating unit 301a, takes an 
exclusive OR for each bit in the data AO and the data Al, 
and so obtains 32-bit data. The data jumbling unit 301c 
separates this data into four sets of 8-bit data, performs 
a predetermined substitution for each set of eight-bit data 
and so generates four sets of 8-bit data. The 
predetermined substitution referred to here is performed 
using a table that stores 256 8-bit values that have been 
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assigned address values from "0" to "255". 

After this, the data jumbling unit 301c generates 
32-bit data by combining the four sets of 8-bit data it 
has generated. The data jumbling unit 301c transposes a 
specific bits in this 32-bit value to generate the new 
32-bit data CI which it outputs to the logical XOR unit 
301b. 

Logical XOR Unit 301b 

The logical XOR unit 301b receives the data Al from 
the separating unit 301a and the 32-bit data CI from the 
data jumbling unit 301c. The logical XOR unit 301b takes 
a logical XOR for each bit in the data Al and the data CI 
to generate the 32-bit subkey data BO. The logical XOR 
unit 301b then outputs this subkey data BO to the randomized 
data storing unit 302 and the combining unit 301d. 

Combining Unit SOld 

The combining unit 301d receives the data AO from the 
separating unit 301a and the subkey data BO from the logical 
XOR unit 301b. The combining unit 30 Id combines the data 
AO and the subkey data BO to generate 64-bit randomized 
data that has the data AO as the upper 32 bits and the subkey 
data BO as the lower bits . The combining unit 30 Id outputs 
this 64-bit randomized data to the number of stages control 
unit 303. 
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(b) Number Of Stages Control Unit 303 

The number of stages control unit 303 operates as 
described below to have the data randomizing unit 301 
repeat the data randomizing process. 
5 The number of stages control unit 303 is equipped with 

a region for storing (1) a processing iteration number 
showing a total number of times the data randomizing unit 
301 has performed the randomizing process and (2) a maximum 
number of iterations. 
10 The number of stages control unit 303 receives the 

input subkey data from the logical XOR unit 102 or the 
64-bit randomized data from the data randomizing unit 301. 
The number of stages control unit 303 also receives a 
control signal from the subkey data generation control unit 
15 106. When the received control signal is "1", the maximum 
number of iterations is set at "16". When the received 
control signal is "0", the maximum number of iterations 
is set at "2". On receiving a control signal, the number 
of stages control unit 303 resets the processing iteration 
20 number to "0". 

The number of stages control unit 303 receives the 
input key data or randomized key data, adds one to the 
processing iteration number and compares the processing 
iteration number with the maximum number of iterations . 
25 If the processing iteration number is equal to the maximum 
number of iterations, the number of stages control unit 
303 outputs the input key data or randomized key data it 
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has received to the data randomizing unit 301 to complete 
the repeated processing. If the processing iteration 
number is below the maximum number of iterations, the 
number of stages control unit 303 outputs the input key 
data or randomized key data it has received to the data 
randomizing unit 301 and has another iteration of the 
repeated processing performed. 

Note that during the first iteration of the repeated 
processing, the number of stages control unit 303 outputs 
the input key data it has received to the data randomizing 
unit 301. In the second and following iterations, the 
number of stages control unit 303 outputs the randomized 
data it has received to the data randomizing unit 301. 

As described above, the number of stages control unit 
303 controls the data randomizing unit 301 to have it 
perform the randomizing process twice or sixteen times. 
When a (T^n)^"" (where n=0,l,...) plaintext block is being 
encrypted, the repeated processing has the data 
randomizing unit 301 output sixteen sets of subkey data 
to the randomized data storing unit 302. However, in all 
other cases the data randomizing unit 301 outputs two sets 
of subkey data to the randomized data storing unit 302. 

(c) Randomized Data Storing Unit 302 

The randomized data storing unit 302 receives a 
control signal from the subkey data generation control unit 
10 6. The randomized data storing unit 302 also 
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sequentially receives sixteen sets of subkey data or two 
sets of subkey data from the data randomizing unit 301. 
The sixteen sets of subkey data are respectively numbered 
SKo to SKi5, while the two sets of subkey data are 
5 respectively numbered SKq and SKi. After receiving such 
data, the randomized data storing unit 302 stores either 
the sixteen sets of subkey data SKo to SK15 or the two sets 
of subkey data SKq and SKi . 

As shown in FIG. 5A, when the received control signal 
10 is "1", the randomized data storing unit 302 reads the 
stored sets of subkey data SKq to SK15 and outputs these 
sets of subkey data SKq to SK15 to the first to sixteenth 
encrypting units . 

As shown in FIG. 5B, when the received control signal 
15 is "0", the randomized data storing unit 302 reads the 
stored sets of subkey data SKq and SKi and then sets 
SKi4=SKi2=SKio=SK8=SK6=SK4=SK2=SKo and 

SKi5=SKi3=SKii=SK9=SK7=SK5=SK3=SKi. Having done so, the 
randomized data storing unit 302 outputs the sets of subkey 
20 data SKo to SK15 to the first to sixteenth encrypting units . 

The sets of subkey data SKq to SK15 are respectively 
used as the first to sixteenth sets of subkey data. 

(9) Counter Unit 105 
25 The counter unit 105 is equipped with an internal 

region for storing a count value. This count value is 
initialized using the initial value "0". 
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The counter unit 105 receives completion information 
from the encrypting unit 100. This information shows that 
the encryption of one plaintext block is complete. On 
receiving the completion information, the counter unit 105 
adds "1" to the count value. When adding "1" to a count 
value that is already "2^° - 1", the counter unit 105 resets 
the count value to "0". 

(10) Subkey Data Generation Control Unit 106 

The subkey data generation control unit 10 6 reads the 
count value from the counter unit 105 . When the count value 
is "0", the subkey data generation control unit 10 6 outputs 
a control signal with the value "1" to the subkey data 
generating unit 101. When the count value is not "0", the 
subkey data generation control unit 10 6 outputs a control 
signal with the value "0". 

(11) Register Control Unit 107 

The register control unit 107 also reads the count 
value from the counter unit 105. When the count value is 
"0", the register control unit 107 outputs a control signal 
with the value "1" to the register unit 104 . When the count 
value is not "0", the register control unit 107 outputs 
a control signal with the value "0" to the register unit 
104. 

(12) Block Combining Unit 109 



27 



The block combining unit 109 sequentially receives 
the ciphertext blocks Ct from the encrypting unit 100 and 
receives information showing the completion of output from 
the block dividing unit 108. 

On receiving information showing the completion of 
output, the block combining unit 109 combines all of the 

received ciphertext blocks Ct (t=0,l,2, ) in the order 

it received them to generate the ciphertext data C. The 
block combining unit 10 9 outputs this ciphertext data C 
to the transmitting unit 11. 

1.3 Construction of the Data Decrypting Unit 20 

As shown in FIG. 1, the data decrypting unit 20 
includes a decrypting unit 2 00, a subkey data generating 
unit 201, a logical XOR unit 202, a data converting unit 

203, a register unit 204, a counter unit 205, a subkey data 
generation control unit 206, a register control unit 207, 
a block dividing unit 208, a block combining unit 209, a 
key obtaining unit 210, a key storing unit 211. 

The subkey data generating unit 201, the logical XOR 
unit 202, the data converting unit 203, the register unit 

204, the counter unit 205, the subkey data generation 
control unit 206, the register control unit 207, the key 
obtaining unit 210, and the key storing unit 211 of the 
data decrypting unit 20 respectively have the same 
constructions as the subkey data generating unit 101, the 
logical XOR unit 102, the data converting unit 103, the 
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register unit 104, the counter unit 105, the subkey data 
generation control unit 106, the register control unit 107, 
the key obtaining unit 110, and the key storing unit 111 
of the data encrypting unit 10. Accordingly, the 
following explanation will only focus on the differences 
between the data decrypting unit 20 and the data encrypting 
unit 10. 

(1) Block Dividing Unit 208 

The block dividing unit 208 receives the ciphertext 
data C from the receiving unit 21 and divides the received 
ciphertext data C into a plurality of ciphertext blocks 
Ct {where t=0,l,2, ....) Each ciphertext block Ct is 64 
bits long. The block dividing unit 2 08 outputs each 
ciphertext block Ct it generates to the decrypting unit 
200 in order. 

The block dividing unit 208 also sequentially outputs 
the preceding ciphertext block Ct-i to the register unit 
204. When outputting the first ciphertext block Co to the 
decrypting unit 200, the block dividing unit 208 does not 
output any data to the register unit 204, 

On completing the output of all of the ciphertext 
blocks, the block dividing unit 208 outputs information 
showing the completion of output to the block combining 
unit 209. 
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(2) Decrypting Unit 200 

The decrypting unit 200 uses the data decryption part 
of a FEAL encryption method. 

The decrypting unit 200 includes first to sixteenth 
5 decrypting units (not illustrated) . 

The first decrypting unit receives a ciphertext block 
Ct from the block dividing unit 208 and first subkey data 
SKO from the subkey data generating unit 201. The first 
subkey data SKO is 32 bits long. The first decrypting unit 
10 decrypts the received ciphertext block Ct using the first 
subkey data SKO and so generates a first intermediate block. 
The first decrypting unit outputs this first intermediate 
block to the second decrypting unit. 

The second to fifteenth decrypting units 
15 respectively receive a first to fourteenth intermediate 
block from a preceding decrypting unit out of the first 
to fourteenth decrypting units in addition to 
corresponding subkey data out of the second to fifteenth 
subkey data SKi to SK14 from the subkey data generating unit 
20 201. Each of the second to fifteenth subkey data SKi to 
SK14 is 32 bits long. The second to fifteenth decrypting 
units respectively decrypt the first to fourteenth 
intermediate blocks using the second to fifteenth subkey 
data SKi to SK14 to generate the second to fifteenth 
25 intermediate blocks which are outputted to the third to 
sixteenth decrypting units. 

The sixteenth decrypting unit receives the fifteenth 
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intermediate block from the fifteenth decrypting unit and 
the sixteenth subkey data SK15 from the subkey data 
generating unit 201. This sixteenth subkey data SK15 is 
32 bits long. The sixteenth decrypting unit decrypts the 
fifteenth intermediate block using the sixteenth subkey 
data SK15 to generate the plaintext block Df 

Equation 14 

Dt=Dec(Ct,SKlt) 

Here, Dec(Ct,SKlt) represents the decrypting of the 
ciphertext Ct using the set SKlt (SKq to SK15) of subkey data 
that is generated during the t^^ decryption process. 

The sixteenth decrypting unit outputs the plaintext 
block Dt it generates to the block combining unit 20 9. 

After outputting the generated plaintext block Dt to 
the block combining unit 209, the encrypting unit 100 
outputs the completion information, which shows that the 
decrypting of one ciphertext block has been completed, to 
the counter unit 205. 

(3) Counter Unit 205 

The counter unit 205 receives completion information 
showing that the decrypting of one ciphertext block has 
been completed by the decrypting unit 200. On receiving 
this information, the counter unit 205 adds "1" to the count 
value . 
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(4) Register Unit 204 

The register unit 204 is equipped with regions for 
storing a 64-bit initial value IV and 64-bit stored data. 
In an initial state, the 64-bit stored data is set at the 
initial value IV. 

The register unit 204 receives the previous 
ciphertext block Ct-i from the block dividing unit 208. 

The register unit 204 receives a control signal from 
the register control unit 207. When the received control 
signal is "0", and the register unit 204 has received a 
ciphertext block Ct-i from the block dividing unit 208, the 
register unit 204 stores received ciphertext block Ct-i as 
the stored data after the decrypting unit 2 00 outputs the 
plaintext block Dt-i at the end of the data decrypting 
process for the current ciphertext block. When the 
control signal is "1", the register unit 204 reads the 
initial value IV and stores it as the stored data. 

Putting this another way, when decrypting the (T*n)^'^ 
ciphertext block (where n=0,l,2, ...), the register unit 
204 initializes the stored value using the initial value 
IV that is set in advance. In all other cases, the register 
unit 2 04 stores the preceding ciphertext block Ct-i- As 
mentioned before, the value "T" is a value indicating a 
predetermined cycle. 
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(5) Block Combining Unit 209 

The block combining unit 209 sequentially receives 
the plaintext blocks Dt from the decrypting unit 200 and 
receives information showing the completion of output from 

5 the block dividing unit 208. 

On receiving information showing the completion of 
output, the block combining unit 209 combines the received 

plaintext blocks Dt (t=0,l,2, ) in the order it received 

them to generate the plaintext data D. The block combining 

10 unit 109 outputs this plaintext data D to the decrypted 
data storing unit 22 . 

(6) Data Converting Unit 203 

The data converting unit 2 03 reads the 64-bit stored 
15 data from the register unit 204. On decrypting the t^'' 
ciphertext block Ct, the encrypting unit 100 reads the 
64-bit stored data Rlt shown below. 



Equation 8 
20 When t?^T*k(k=0,l, . . .) 

Rlt=Ct-i 



Equation 9 

When t=T*k (k=0, 1, . . . ) 
25 Rlt=IV 
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The data converting unit 203 next subjects the stored 
data Rlt it has read to a predetermined data conversion 
f to generate Slf 

Equation 10 

Slt=f (Rlt) 

Here, f (X) represents the value generated when the 
data converting unit 203 subjects the input data X to the 
data conversion f. 

(7) Logical XOR Unit 202 

The logical XOR unit 202 receives the 64-bit data Sit 
from the logical XOR unit 2 02 and generates the input key 
data IKlf 

Equation 11 

IKlt =Slt(+)EK 

(8) Subkey Data Generating Unit 201 

The subkey data generating unit 201 generates sixteen 
sets of 32-bit subkey data (the first to sixteenth subkey 
data SKo to SK15) . 

Equation 12 

When t7^T*k(k=0,l, . . .) 

SKlt=KGB(IKlt) 
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Here, KGB(X) represents the sixteen sets of subkey 
data that are generated by the type B subkey generating 
process using the input key data X. These sixteen sets 
5 of subkey data are composed of two types of subkey data. 

Equation 13 

When t=T*k(k=0,l, . . .) 
10 SKlt=KGA(IKlt) 

Here, KGA{X) represents the sixteen sets of subkey 
data that are generated by the type A subkey generating 
process using the input key data X. These sixteen sets 
15 of subkey data each differ from one another. 

2. Operation of the Encrypted Communication System 5 

The following describes the operation of the 
encrypted communication system 5. 

20 

2.1 Operation of the Transmission Apparatus 1 

The following describes the operation of the 
transmission apparatus 1. 

25 (1) Overall Operation of the Transmission Apparatus 1 

The following describes the overall operation of the 
transmission apparatus 1 with reference to the flowchart 
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shown in FIG. 8. 

The counter unit 105 sets the count value at "0", the 
register unit 10 4 sets the stored data at the initial value 
IV, and the block dividing unit 108 reads the plaintext 
data from the plaintext data storing unit 12 (step SlOl) . 
The key obtaining unit 110 reads the encryption key data 
from the encryption key data storing unit 13 and writes 
the read encryption key data into the key storing unit 111 
(step S102) . The block dividing unit 108 divides the read 
plaintext data into a plurality of plaintext blocks (step 
S103) . 

The block dividing unit 108 outputs each plaintext 
block to the encrypting unit 100. The encrypting unit 100 
receives a plaintext block from the block dividing unit 
108, encrypts the plaintext block to generate a ciphertext 
block, and outputs the generated ciphertext block to the 
block combining unit 109 (step S104) . When all of the 
plaintext blocks have not been encrypted (step S105:No), 
the processing returns to S104. 

On completing the output of all of the plaintext 
blocks (S105:Yes), the block dividing unit 108 outputs 
information showing the completion of output to the block 
combining unit 109. The block combining unit 109 combines 
all of the ciphertext blocks it has received in order to 
generate the ciphertext data which it outputs to the 
transmitting unit 11 (step S106) . 

The transmitting unit 11 receives the ciphertext data 
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and subjects the received ciphertext data to a 
parallel-to-serial conversion, modulation, and 
amplification to generate signals. The transmitting unit 
11 transmits these signals to the reception apparatus 2 
5 via the transfer path 3 (step S107) . 

(2) Operation of the Data Encrypting Unit 10 

The following describes the operation of the data 
encrypting unit 10 with reference to the flowchart in FIG. 
10 9. 

The data converting unit 103 first reads the 64-bit 
stored data from the register unit 104 (step S121) , 
subjects the read data to a predetermined data conversion, 
and outputs the resulting 64-bit data to the logical XOR 

15 unit 102 (step S122) . 

The logical XOR unit 102 receives the 64-bit data from 
the data converting unit 103, reads the encryption key data 
from the key storing unit 111, takes a logical XOR for 
corresponding bits in the received 64-bit data and the read 

20 encryption key data to generate 64 -bit input key data. The 
logical XOR unit 102 outputs the generated input key data 
to the subkey data generating unit 101 (step S123) . 

The subkey data generating unit 101 generates a 
plurality of sets of subkey data using the input key data 

25 and outputs each generated set of subkey data to a different 
encrypting unit in the first to sixteen encrypting units 
in the encrypting unit 100 (step S124) . 
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The encrypting unit 100 receives a plaintext block 
from the block dividing unit 108 (step S125) , encrypts the 
plaintext block using the plurality of sets of subkey data 
and so generates a ciphertext block (step S126) . The 
5 counter unit 105 adds "1" to the count value (step S127) . 
The encrypting unit 100 outputs the ciphertext block to 
the block combining unit 109 (step S128) . 

The subkey data generation control unit 10 6 reads the 
count value from the counter unit 105 . When the count value 
10 is "0" (step S141:Yes) , the subkey data generation control 
unit 10 6 outputs a control signal with the value "1" to 
the subkey data generating unit 101 (step S143) . 
Conversely, when the count value is not "0" (step S141:No) , 
the subkey data generation control unit 10 6 outputs a 
15 control signal with the value "0" to the subkey data 
generating unit 101 (step S142) . 

The register control unit 107 also reads the count 
value of the counter unit 105. When the count value is 
"0" (step S151:Yes) , the register control unit 107 outputs 
20 a control signal with the value "1" to the register unit 
104 (step S153) . Conversely, when the count value is not 
"0" (step S151:No) , the register control unit 107 outputs 
a control signal with the value "0" to the register unit 
104 (step S152) . 
25 The register unit 104 stores a value in accordance 

with the control signal received from the register control 
unit 107 (step S161) . 
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(3) Operation of the Counter Unit 105 

The following describes the operation of the counter 
unit 105 with reference to the flowchart shown in FIG. 10. 
5 On receiving a completion signal from the encrypting 

unit 100 showing that the encryption of one plaintext block 
has been completed, the counter unit 105 adds "1" to the 
count value (step S181) . When the count value reaches 2^° 
(step S182:Yes) the counter unit 105 resets the count value 
10 to "0" (step S183) . 

(4) Operation of the Register Unit 104 

The following describes the operation of the register 
unit 104 with reference to the flowchart in FIG. 11. 

15 The register unit 104 receives a control signal from 

the register control unit 107. When the received control 
signal is "0" (step S201:"=0") and a ciphertext block is 
received from the sixteenth encrypting unit lOOd, the 
register unit 104 stores this ciphertext block as the 

20 stored data (step S202) . When the received control signal 
is "1" (step S201;"=l"), the register unit 104 reads the 
initial value IV and stores the initial value as the stored 
data (step S203) . 

25 (5) Operation of the Subkey Data Generating Unit 101 

The following describes the operation of the subkey 
data generating unit 101 with reference to the flowcharts 
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in FIGS. 12 and 13. 

The number of stages control unit 303 of the subkey 
data generating unit 101 receives a control signal from 
the subkey data generation control unit 10 6. When the 

5 received control signal is "1" (step S221 : "=1 " ) , the number 
of stages control unit 303 sets the maximum number at 16 
(step S223) , while when the received control signal is "0" 
(step S221:"=0"), the number of stages control unit 303 
sets the maximum number at 2 (step S222) . On receiving 

10 the control signal, the number of stages control unit 303 
also sets the iteration number "i" at "0" (step S224) . 

The number of stages control unit 303 receives either 
input key data or randomized data. In the first iteration 
(step S225:Yes), the number of stages control unit 303 

15 outputs the input key data to the data randomizing unit 
301 (step S227) . In the second and following iterations 
(step S225:No), the number of stages control unit 303 
outputs the randomized data to the data randomizing unit 
301 (step S226) . 

20 The data randomizing unit 301 performs a data 

randomizing process and so generates the subkey data and 
randomized data (step S228) . The randomized data storing 
unit 302 stores the subkey data (step S229) . Next, the 
number of stages control unit 303 adds "1" to the value 

25 of the iteration number i (step S230) and compares the 
resulting iteration number with the maximum number. When 
the iteration number is below the maximum number (step 
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S231;Yes), the processing returns to step S225 and the 
above procedure is repeated. 

When the iteration number is at least equal to the 
maximum number (step S231:Yes), the repeated processing 

5 is completed. The randomized data storing unit 302 then 
receives a control signal from the subkey data generation 
control unit 106. When the received control signal is "1" 
(step S232) , the randomized data storing unit 302 reads 
the stored sets of subkey data SKq to SK15 and outputs the 

10 read sets of subkey data SKq to SK15 to the first to sixteen 
encrypting units (step S235) . 

When the received control signal is "0" (step S232) , 
the randomized data storing unit 302 reads the stored sets 
of subkey data SKq and SKi, sets SKi4=SKi2=SKio=SK8 

15 =SK6=SK4=SK2=SKo and SKi5=SKi3=SKii=SK9=SK7=SK5=SK3=SKi, and 
outputs the sets of subkey data SKq to SK15 to the first 
to sixteenth encrypting units (steps S233 and S234) . 

(6) Operation of the Data Randomizing Unit 301 
20 The following describes the operation of the data 

randomizing unit 301 with reference to the flowchart in 
FIG. 14. 

The separating unit 301a receives 64-bit data from 
the number of stages control unit 303 and separates the 
25 received 64-bit data to generate the upper 32-bit data Al 
and the lower 32-bit data AO. The separating unit 301a 
outputs the data Al to the logical XOR unit 301b and the 
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data jumbling unit 301c, and outputs the data AO to the 
combining unit 301d and the data jumbling unit 301c (step 
S251) . 

The data jumbling unit 301c receives the data AO and 
5 the data Al from the separating unit 301a, takes a logical 
XOR for corresponding bits in the data AO and the data Al 
to generate 32-bit data, and separates this 32-bit data 
into four sets of 8-bit data. The data jumbling unit 301c 
then performs a predetermined substitution on each set of 

10 8-bit data and combines the resulting sets of modified 
8-bit data to generate a new set of 32-bit data. The data 
jumbling unit 301c also replaces predetermined bits in the 
32-bit data with other bits to generate the 32-bit data 
CI which it outputs to the logical XOR unit 301b (step 

15 S252) . 

The logical XOR unit 301b receives the data AO from 
the separating unit 301a and the 32-bit data CI from the 
data jumbling unit 301c and takes a logical XOR for 
corresponding bits in the data AO and the data CI to 

20 generate the subkey data BO. The logical XOR unit 301b 
outputs this subkey data BO to the randomized data storing 
unit 302 and the combining unit 301d (step S253) . 

The combining unit 301d receives the data AO from the 
separating unit 301a and the subkey data BO from the logical 

25 XOR unit 301b. The combining unit 301d combines the data 
AO and the subkey data BO with the data AO as the upper 
bits and the subkey data BO as the lower bits to generate 
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64-bit randomized data. The combining unit 301d outputs 
this 64-bit randomized data to the number of stages control 
unit 303 (step S254) . 

5 2.2 Operation of the Reception Apparatus 2 

The following describes the operation of the 
reception apparatus 2. 

(1) Overall Operation of the Reception Apparatus 2 

10 The overall operation of the reception apparatus 2 

is similar to the operation of the transmission apparatus 
1, and so will also be explained with reference to the 
flowchart shown in FIG. 8. 

The receiving unit 21 of the reception apparatus 2 

15 receives signals from the transmitting unit 11 of the 
transmission apparatus 1 via the transfer path 3. The 
receiving unit 21 subjects the received signals to 
demodulation and serial-to-parallel conversion to 
generate a ciphertext. The counter unit 205 sets the count 

20 value at "0", and the register unit 204 sets the stored 
data at the initial value IV. The block dividing unit 208 
receives the ciphertext data from the receiving unit 21 
(this corresponds to step SlOl) , and the key obtaining unit 
210 reads the encryption key data from the encryption key 

25 data storing unit 23 and writes it into the key storing 
unit 211 (this corresponds to step S102) . The block 
dividing unit 208 divides the ciphertext data into a 
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plurality of ciphertext blocks (this corresponds to step 
S103) . 

The block dividing unit 208 outputs each ciphertext 
block to the decrypting unit 200 . The decrypting unit 200 
receives a ciphertext block from the block dividing unit 
208, decrypts the received ciphertext block to generate 
a plaintext block, and outputs the resulting plaintext 
block to the block combining unit 209 (this corresponds 
to step S104) . When the decrypting unit 200 has not 
completed the decryption of all of the ciphertext blocks 
(this corresponds to S105:No), the decrypting process is 
repeated. 

When the outputting of all of the ciphertext blocks 
is complete (this corresponds to S105:Yes), the block 
dividing unit 208 outputs information showing the 
completion of output to the block combining unit 209. The 
block combining unit 209 combines all of the plaintext 
blocks it has received in order to generate plaintext data 

(this corresponds to step S106) , and writes the generated 
plaintext data into the decrypted data storing unit 22 

(this corresponds to step S107) . 

(2) Operation of the Data Decrypting Unit 20 

The operation of the data decrypting unit 20 is 
similar to that of the data encrypting unit 10 and so is 
explained with reference to the flowchart in FIG. 9. 

The data converting unit 203 reads the 64-bit stored 
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data from the register unit 204 (this corresponds to step 
S121) , performs a predetermined data conversion on the 
stored data, and outputs the converted 64-bit data to the 
logical XOR unit 202 (this corresponds to step S122) . 
5 The logical XOR unit 202 receives 64-bit data from 

the data converting unit 203, reads the encryption key data 
from the key storing unit 211, and takes a logical XOR for 
corresponding bits in the 64-bit data and encryption key 
data to generate 64-bit input key data. The logical XOR 

10 unit 202 outputs this input key data to the subkey data 
generating unit 201 (this corresponds to step S123) . 

The subkey data generating unit 201 generates a 
plurality of sets of subkey data using the input key data 
and outputs each generated set of subkey data to a different 

15 decrypting unit in the first to sixteenth decrypting units 
of the decrypting unit 200 (this corresponds to step S124) . 

The decrypting unit 200 receives a ciphertext block 
from the block dividing unit 208 (this corresponds to step 
S125) , decrypts the ciphertext block using the plurality 

20 of sets of subkey data, and so generates a plaintext block 
(this corresponds to step S12 6) . The counter unit 205 
increments the count value (this corresponds to step S127) . 
The decrypting unit 200 outputs the resulting plaintext 
block to the block combining unit 209 (this corresponds 

25 to step S128) . 

The operation of the subkey data generation control 
unit 20 6 is the same as the operation of the subkey data 
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generation control unit 106 that is shown in steps S141 
to S143 of the flowchart in FIG. 9, and so will not be 
explained. 

The operation of the register control unit 207 is the 
5 same as the operation of the register control unit 107 that 
is shown in steps S151 to S153 of the flowchart in FIG. 
9, and so will not be explained. 

The register unit 204 stores a value in accordance 
with the control value it receives from the register 
10 control unit 207 (this is the same as step S161 in the 
flowchart in FIG. 9) . 

(3) Operation of the Counter Unit 205 

The operation of the counter unit 205 is similar to 
15 that of the counter unit 105 and so is explained with 
reference to the flowchart in FIG. 10. 

On receiving completion information from the 
decrypting unit 2 00 showing that it has completed the 
decrypting of one ciphertext block, the counter unit 2 05 
20 adds one to the count value (this corresponds to step S181) . 
When this addition results in the count value reaching 2^° 
(this corresponds to S181:Yes) , the counter unit 205 resets 
the count value to zero (this corresponds to step S183) . 

25 (4) Operation of Register Unit 204 

The operation of the register unit 204 is similar to 
that of the counter unit 105 and so is explained with 
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reference to the flowchart in FIG. 11. 

The register unit 204 receives a control signal from 
the register control unit 207. When the received control 
signal is "0" (step S201:Yes) and a previous ciphertext 
block is received from the block dividing unit 208, the 
register unit 204 stores this ciphertext block as the 
stored data (this corresponds to step S202) . When the 
received control signal is "1" (this corresponds to step 
S201:No), the register unit 204 reads the initial value 
IV and stores the initial value IV as the stored data (this 
corresponds to step S203) . 

(5) Operation of the Subkey Data Generating Unit 201 

The operation of the subkey data generating unit 201 
is similar to that of the subkey data generating unit 101, 
so that the following description will focus on the 
differences with the procedure in the flowcharts shown in 
FIGS. 12 and 13. 

In step S235, the randomized data storing unit 302 
reads the stored subkey data SKq to SK15 and outputs the 
respective sets of subkey data SKo to SK15 to the 
corresponding first to sixteenth decrypting units in the 
decrypting unit 200. 

In steps S233 and S234, the randomized data storing 
unit 302 reads the stored subkey data SKq and SKi, sets 
SKi4=SKi2=SKio=SK8=SK6=SK4=SK2=SKo and 
SKi5=SKi3=SKii=SK9=SK7=SK5=SK3=SKi, and outputs the 
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respective sets of subkey data SKq to SK15 to the 
corresponding first to sixteenth decrypting units in the 
decrypting unit 200. 

5 (6) Operation of the Data Randomizing Unit 301 

The operation of the data randomizing unit 301 in the 
subkey data generating unit 201 is the same as the operation 
of the data randomizing unit 301 in the subkey data 
generating unit 101 that was described using FIG. 14. No 

10 further explanation will be given. 



3 . Correspondence between the Plaintext and Decrypted Text 

The ciphertext blocks Co, Ci, . . . are obtained when 
15 the data encrypting unit 10 encrypts the plaintext block 
sequence Pq/ Pi, • . • using the 64-bit encryption key data. 
These ciphertext blocks are decrypted by the data 
decrypting unit 2 0 using the same 64-bit encryption key 
data to generate the plaintext block sequence Do, Di, .... 
20 that is the same as the plaintext block sequence Pq, Pi, .... 
This is shown in more detail below. 



Equation 15 is found from Equations 1 and 2 and 
Equations 8 and 9. 

Equation 15 

R0t=Rlt (t=0,l, ...) 
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Equation 16 is found from Equation 15 and Equations 

3 and 10. 

5 Equation 16 

SOt=Slt (t=0,l, ...) 

Equation 17 is found from Equation 16 and Equations 

4 and 11. 

10 

Equation 17 

IKOt =IKlt (t=0,l, . . .) 

Therefore, Equation 18 is given by Equations 17 and 
15 5 and Equations 12 and 13 . 



Equation 18 

SKOt=SKlt (t=0,l...} 

20 

Equation 19 is found from Equations 7 and 14. 
Equation 19 

Dt=Dec (Enc (Pt, SKOt) , SKlt) 
25 (t=0,l,...) 

The following relationship (Equation 20) is formed 



for any 64-bit data a, p in the functions Enc and Dec. 
Equation 20 

a=Dec (Enc (a, p) , (3) 

Therefore, from Equations 19, 20, and 18 
Dt=Pt 

4. Evaluation of Security and Encryption Processing Speed 

(1) Security 

In the present embodiment, the encryption of a t^^ 
(where t#=2^°*k (k=0,l,...)) plaintext block is performed 
using sixteen sets of 32-bit subkey data SKq, . . • , SK15 that 
are inputted into the encrypting unit 100. As described 
earlier, these sets of subkey data are generated so that 

SKo=SK2=SK4 =Si4 and SKi=SK3=SK5 =815, so that 

security against known plaintext attacks is not as high 
as the conventional method where each set of subkey data 
is different. 

However, the input key data IKOt used to encrypt these 
plaintext blocks is set so that 

IKOt=EK( + )Ct-i 

As there are 2^^ potential values of Ct-i, it is 
practically impossible to obtain a large number of 
plaintext blocks that have been encrypted using the same 
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IKOf This makes the present method secure against known 
plaintext attacks . 

The encryption of a t^^ (where t=2^°*k (k=0,l,...)) 
plaintext block is also performed using sixteen sets of 
5 32-bit subkey data SKq, SK15 that are inputted into 

the encrypting unit 100. As described earlier, each of 
these sets of subkey data is different, so that security 
against known plaintext attacks is the same as with the 
stated conventional method. 

10 

(2) Encryption Processing Speed 

The following describes the encryption processing 
speed of the data encrypting unit 10. 

When a t^*" (where t?^2^°*k (k=0,l,...)) plaintext 

15 blocks Pt is encrypted, the subkey data generating unit 
101 performs a simple process that generates sixteen sets 
of 32-bit subkey data by generating what are effectively 
only two 32-bit sets of subkey data. This means that the 
generation of subkey data for each block has a lesser effect 

20 on the encryption processing speed that the stated 
conventional method. 

5 . Other Modlflca'tions 

While the present invention has been explained by way 
25 of the embodiments given above, it should be obvious that 
the invention is not limited to the details given therein. 
Several modifications are possible, with representative 
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examples being given below. 

(1) In the above embodiment, the logical XOR unit 102 (202) 
is described as a data merging means that takes an XOR for 
5 each bit in the 64-bit data generated by the data converting 
unit 103 (203) and the encryption data. However the same 
effect can be achieved even if an XOR is not taken for every 
bit position. 

10 (2) In the above embodiment, the data converting unit 103 
(203) is described as outputting 64-bit converted data, 
though such data does not need to be 64 bits long. As one 
example, when the encryption key data is 56 bits long, a 
data converting unit that outputs 56-bit data may be used. 

15 

(3) In the above embodiment, the register unit 104 (204) 
receives an input of ciphertext data generated in the 
immediately preceding encryption process, though the 
64-bit value obtained during the immediately preceding 

20 encryption process may be used. As one example, the first 
or second intermediate block generated during the 
encryption process may be used. The data used does not 
need to be 64 bits long, so that shorter data, such as a 
40-bit value, may be used. 

25 The following describes one possible arrangement 

when 40-bit data is used. The data converting unit 103 
(203) receives the 40-bit data and converts the data to 
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generate new 40-bit data. The key storing unit 111 stores 
40-bit encryption key data . The logical XOR unit 102 takes 
a logical XOR for corresponding bits in the new 40-bit data 
and the 40-bit encryption key data to generate 40-bit input 
5 key data. The subkey data generating unit 101 generates 
sixteen sets of 20-bit subkey data which are used during 
encryption by the first to sixteenth encrypting units of 
the encrypting unit 100. 

10 (4) In the above embodiment, the encrypting unit 100 uses 
a FEAL method, though any block encryption method may be 
used. As one example, DES (Data Encryption Standard) may 
be used. 

The subkey data generating unit 101 is not limited 
15 to having the construction described above. As one 

example, the subkey data generating unit 101 may generate 
sixteen sets of 32-bit subkey data from 64-bit input key 
data. 

20 (5) The present invention is not limited to a construction 
where the subkey data generating unit 101 uses two types 
of encryption processing where random numbers are 
generated using different processing loads. Any 
arrangement may be used, so long as the encryption 

25 processing used when the control signal "1" is inputted 
has a heavier load than the encryption processing used when 
the control signal "0" is inputted. 
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As one example, instead of generating two sets of 
subkey data, the subkey data generating unit may generate 
different data for the first 16 bits of each of the sixteen 
sets of subkey data and then generate the latter 16 bits 

5 of each set of subkey data based on the corresponding former 
16 bits. Such processing will reduce the processing load 
of key generation in the same way as described above. 

Instead of generating two sets of subkey data, the 
subkey data generating unit may generate three, four, five, 

10 or any other number up to fifteen sets of subkey data, with 
the first to sixteen encrypting units each using one of 
the generated sets of subkey data. 

(6) The counter unit 105 (205) resets the count value to 
15 "0" when it reaches "2^°-l", although the invention is not 
limited to using "2^°-l" as the upper limit for the count 
value. Any positive integer may be used. The count value 
also does not need to be reset to "0". 

In the above embodiments, the apparatuses are 
20 described as internally storing 64-bit encryption key data. 
However, the apparatuses may instead only store 64-bit 
encryption key data that is used the first time encryption 
is performed, with the input key data that is used when 
encrypting each of the other plaintext blocks being 
25 encrypted and transferred with the plaintext blocks. When 
updating the input key data, public key encryption, such 
as the Dif f ie-Hellman method, may be used to distribute 
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the input key data to the apparatuses that are to perform 
coinmunication . 

(7) The present invention also applies to the method used 
5 by the apparatuses described above. This method may be 
realized by computer programs that are executed by 
computers. Such computer programs may be distributed as 
digital signals . 

The present invention may be realized by a 
10 computer-readable storage medium, such as a floppy disk, 
a hard disk, a CD-ROM (Compact Disc-Read Only Memory) , an 
MO (magneto-optical) disc, a DVD (Digital Versatile Disc) , 
a DVD-ROM, a DVD-RAM, or a semiconductor memory, on which 
computer programs and/or digital signals mentioned above 
15 are recorded. Conversely, the present invention may also 
be realized by a computer program and/or digital signal 
that is recorded on a storage medium. 

Computer programs or digital signals that achieve the 
present invention may also be transmitted via a network, 
20 such as an electronic communication network, a wired or 
wireless communication network, or the Internet. 

The present invention can also be realized by a 
computer system that includes a microprocessor and a memory. 
In this case, a computer program can be stored in the memory, 
25 with the microprocessor operating in accordance with this 
computer program. 

The computer programs and/or digital signals may be 



55 



provided to an independent computer system by distributing 
a storage medium on which the computer programs and/or 
digital signals are recorded, or by transmitting the 
computer programs and/or digital signals via a network. 
The independent computer may then execute the computer 
programs and/or digital signals to function as the present 
invention . 

(8) The limitations described in the embodiment and the 
modifications may be freely combined. 

Although the present invention has been fully 
described by way of examples with reference to the 
accompanying drawings, it is to be noted that various 
changes and modifications will be apparent to those skilled 
in the art. Therefore, unless such changes and 
modifications depart from the scope of the present 
invention, they should be construed as being included 
therein . 
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What is claimed is: 



1 1. An encryption method for use by an encryption apparatus 

2 that encrypts plaintext data composed of a plurality of 

3 blocks, the encryption method comprising: 

4 a block obtaining step for obtaining the plaintext 

5 data one block at a time in order from outside the 

6 encryption apparatus; 

7 a selecting step for selecting either a first mode 

8 or a second mode for a current block obtained in the block 

9 obtaining step according to how many blocks have been 

10 obtained; 

11 a key generating step for generating 

12 (1) a first group composed of a predetermined 

13 number n of different subkeys when the first 

14 mode is selected, and 

15 (2) a second group composed of less than n 

16 different subkeys when the second mode is 

17 selected; and 

18 an encrypting step for encrypting the current block 

19 by subjecting the current block to n conversion processes 

20 in order, wherein 

21 in the first mode, each of the n conversion processes 

22 is associated with a different subkey in the first group 

23 and is performed using the associated subkey, and 

24 in the second mode, the n conversion processes are 

25 associated with subkeys in the second group and are each 

26 performed using the associated subkey. 
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1 2. An encryption method according to Claim 1, 



2 wherein the selecting step selects 

3 (i) the first mode for blocks whenever a number 

4 of blocks that have been obtained is equal to 

5 a multiple of a predetermined value ^ and 

6 (ii) the second mode for all other cases. 



1 3. An encryption method according to Claim 1, 

2 wherein the encryption apparatus includes an initial 

3 value storing means for storing an initial value, 

4 the encrypting step encrypts the current block to 

5 generate a ciphertext block having a predetermined length, 

6 and 

7 the key generating step generates the first group 

8 using the initial value in the first mode and generates 

9 the second group using the initial value and the ciphertext 

10 block most recently generated by the encrypting step in 

11 the second mode. 



1 4. An encryption apparatus for encrypting plaintext data 

2 composed of a plurality of blocks, the encryption apparatus 

3 comprising: 

4 block obtaining means for obtaining the plaintext 

5 data one block at a time in order from outside; 

6 selecting means for selecting either a first mode or 

7 a second mode for use with a current block obtained in the 

8 block obtaining means according to how many blocks have 
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9 been obtained; 



10 key generating means for generating 

11 (1) a first group composed of a predetermined 

12 number n of different subkeys when the first 

13 mode is selected, and 

14 (2) a second group composed of less than n 

15 different subkeys when the second mode is 

16 selected; and 

17 encrypting means for encrypting the current block by 



18 subjecting the current block to n conversion processes in 

19 order, wherein 

20 in the first mode, each of the n conversion processes 

21 is associated with a different subkey in the first group 

22 and is performed using the associated subkey, and 

23 in the second mode, the n conversion processes are 

24 each associated with a subkey in the second group and are 

25 each performed using the associated subkey. 

1 5. A computer-readable storage medium storing an 

2 encryption program for use by a computer that encrypts 

3 plaintext data composed of a plurality of blocks, 

4 the encryption program comprising: 

5 a block obtaining step for obtaining the plaintext 

6 data one block at a time in order from outside the 

7 encryption apparatus; 

8 a selecting step for selecting either a first mode 

9 or a second mode for a current block obtained in the block 
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10 obtaining step according to how many blocks have been 

11 obtained; 

12 a key generating step for generating 

13 (1) a first group composed of a predetermined 

14 number n of different subkeys when the first 

15 mode is selected, and 

16 (2) a second group composed of less than n 

17 different subkeys when the second mode is 

18 selected; and 

19 an encrypting step for encrypting the current block 

20 by subjecting the current block to n conversion processes 

21 in order, wherein 

22 in the first mode, each of the n conversion processes 

23 is associated with a different subkey in the first group 

24 and is performed using the associated subkey, and 

25 in the second mode, the n conversion processes are 

26 associated with subkeys in the second group and are each 

27 performed using the associated subkey. 

1 6. A decryption method for use by a decryption apparatus 

2 that decrypts ciphertext data in ciphertext block units, 

3 the decryption method comprising: 

4 a block obtaining step for obtaining the ciphertext 

5 data one ciphertext block at a time in order from outside 

6 the decryption apparatus; 

7 a selecting step for selecting either a first mode 

8 or a second mode for use with a current ciphertext block 
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9 obtained in the block obtaining step according to how many 

10 ciphertext blocks have been obtained; 

11 a key generating step for generating 

12 (1) a first group composed of a predetermined 

13 number n of different subkeys when the first 

14 mode is selected and 

15 (2) a second group composed of less than n 

16 different subkeys when the second mode is 

17 selected; and 

18 a decrypting step for decrypting the current 

19 ciphertext block by subjecting the current ciphertext 

20 block to n conversion processes in order, wherein 

21 in the first mode, each of the n conversion processes 

22 is associated with a different subkey in the first group 

23 and is performed using the associated subkey, and 

24 in the second mode, the n conversion processes are 



25 associated with subkeys in the second group and are each 

26 performed using the associated subkey. 

1 7. A decryption method according to Claim 6, 



2 wherein the selecting step selects 

3 (1) the first mode whenever a number of 

4 ciphertext blocks that have been obtained is 

5 given as a multiple of a predetermined value, 

6 and 

7 (2) the second mode for all other cases. 
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1 8. A decryption method according to Claim 6, 

2 wherein the decryption apparatus includes an initial 

3 value storing means for storing an initial value, 

4 the key generating step generating the first group 

5 using the initial value in the first mode and generating 

6 the second group using the initial value and the ciphertext 

7 block obtained iiranediately before the current ciphertext 

8 block in the second mode. 



1 9, A decryption apparatus that decrypts ciphertext data 

2 in ciphertext block units, the decryption apparatus 

3 comprising: 

4 block obtaining means for obtaining the ciphertext 

5 data one ciphertext block at a time in order from outside; 

6 selecting means for selecting either a first mode or 

7 a second mode for use with a current ciphertext block 

8 obtained by the block obtaining means according to how many 

9 ciphertext blocks have been obtained; 

10 key generating means for generating 

11 (1) a first group composed of a predetermined 

12 number n of different subkeys when the first 

13 mode is selected, and 

14 (2) a second group composed of less than n 

15 different subkeys when the second mode is 

16 selected; and 

17 decrypting means for decrypting the current 

18 ciphertext block by subjecting the current ciphertext 
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19 block to n conversion processes in order, wherein 

20 in the first mode, each of the n conversion processes 

21 is associated with a different subkey in the first group 

22 and is performed using the associated subkey, and 

23 in the second mode, the n conversion processes are 

24 associated with subkeys in the second group and are each 

25 performed using the associated subkey. 

1 10. A computer-readable storage medium storing a 

2 decryption program for use by a computer that decrypts 

3 ciphertext data in ciphertext block units, 

4 the decryption program comprising: 

5 a block obtaining step for obtaining the ciphertext 

6 data one ciphertext block at a time in order from outside 

7 the decryption apparatus; 

8 a selecting step for selecting either a first mode 

9 or a second mode for use with a current ciphertext block 

10 obtained in the block obtaining step according to how many 

11 ciphertext blocks have been obtained; 

12 a key generating step for generating 

13 (1) a first group composed of a predetermined 

14 number n of different subkeys when the first 

15 mode is selected and 

1^ (2) a second group composed of less than n 

1"^ different subkeys when the second mode is 

18 selected; and 

19 a decrypting step for decrypting the current 
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20 ciphertext block by subjecting the current ciphertext 

21 block to n conversion processes in order, wherein 

22 in the first mode, each of the n conversion processes 

23 is associated with a different subkey in the first group 

24 and is performed using the associated subkey, and 

25 in the second mode, the n conversion processes are 

26 associated with subkeys in the second group and are each 

27 performed using the associated subkey. 
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ABSTRACT OF THE DISCLOSURE 

The subkey data generating unit 101 has two different 
subkey key generation processes . When encrypting a (T*n)^^ 
plaintext block (where T denotes a predetermined cycle and 
n is a positive integer) , sixteen sets of subkey data are 
generated. In all other cases, two sets of subkey data 
are generated. The encrypting unit 100 encrypts the 
plaintext using the generated sixteen or two sets of subkey 
data . 



65 



Price, Gess & Ubell 

JOSEPH W. PRICE ATTORNEYS AT LAW ^ PROFESSIONAL CORPORATION 

ALBINHGESS TELEPHONE {949) 261-8433 

FRANKLIN D UBELL ^100 S.E, MAIN STREET, SUITE 250 l^^^^ J5 ^^I;*^^ 

IRVINE, CALIFORNIA 92614-6238 e-mail: pgu@pgulaw.com 



DRAWINGS - FOURTEEN (14) SHEETS 



Applicant(s): 
Title: 



Makoto Tatebayashi et al. 

ENCRYPTION METHOD, ENCRYPTION 
APPARATUS, DECRYPTION METHOD, AND 
DECRYPTION APPARATUS 



Attorney's 
Docket No.: 



NAK1-BM08 



"EXPRESS MAIL" MAILING 
LABEL NO. EL230379070US 



DATE OF DEPOSIT: August 15, 2000 



FIG. 4 



DATA RANDOMIZING UNIT 



301a 



Al 



I SEPARATING UNIT | 



,301b 



,301c 



LOGICAL 




DATA 


XORUNIT 




JUMBLING 
UNIT 







[COMBINING UNIT I 



64-BIT 

RANDOMIZED 
■ DATA 



301 



AO 




FIG. 5A 



FIRST 
ENCRYPTING UNIT 



SECOND 



ENCRYPTING UNIT 

T 



SKO 



SKI 



SUBKEY 
DATA 

GENERATING 
UNIT 



FIFTEENTH 
ENCRYPTING UNIT 



SIXTEENTH 
[ENCRYPTING UNIT 



SK14 



SKI 5 



FIG. 5B 



FIRST 
ENCRYPTING UNIT 



1* 



SECOND 
ENCRYPTING UNIT I 



T 
i 



FIFTEENTH 
ENCRYPTING UNIT 



SIXTEENTH 
ENCRYPTING UNIT 



SKO 



SKI 



SUBKEY 
DATA 
GENERATING 
UNIT 























































ii 




























< 




pa 






< 


PQ 








< 
























































SUB 
ENEF 


























o 






























































^ — ^ 
















KEY DA 


(Al)i 




f(Ci) 




CJ 




O 


O 




o' 

o. 


til. 




+ 
























B 
















:^ 
w 




Ph 












S 






w 






























W 


























3 
















































































o 




CM 




J 


o 








'cm 


o 




P 


























O 


























O 



























d 
►—I 




FIG. 8 



C START 

^ ^S lQl 

BLOCK DIVIDING UNIT READS | 
PLAINTEXT DATA I 



-.S102 



KEY OBTAINING UNIT READS 
KEY DATA 



^8103 



BLOCK DIVIDING UNIT DIVIDES 
PLAINTEXT DATA INTO 
PLAINTEXT BLOCKS 




S104 



8106 



FIG. 10 



rCOUNT VALUE INCREMENTING 
PROCESS USED BY COUNTER 
^ UNIT 



> 


^ ^S181 


COUNT VALUED 


COUNT VALUE+1 | 




C RETURN ^ 



FIG. 11 



COUNT VALUE INCREMENTING 
PROCESS USED BY COUNTER UNIT 



.5201 



RECEIVED 
CONTROL SIGNAL 



.S203 



CIPHERTEXT BLOCKI 
STORED 1 


INITIAL 

VALUE STORED 


> 


< 1 





( RETURN ^ 



FIG. 12 




rE=Q ^S 22 2 

I MAXIMUM NUMBER^2( | MAXIMUM NUMBER^ IG] 




S224 



S226 



.S227 



NUMBER OF STAGES CONTROL 
UNIT OUTPUTS PRECEDING 
RANDOMIZED DATA TO THE 
DATA RANDOMIZING UNIT 



NUMBER OF STAGES CONTROL 
UNIT OUTPUTS INPUT KEY 
DATA TO THE DATA 
RANDOMIZING UNIT 

n 



DATA RANDOMIZING UNIT 
PERFORMS DATA 
RANDOMIZING PROCESS TO 
GENERATE SUBKEY DATA 
SKi AND RANDOMIZED DATA 



RANDOMIZED DATA 
STORING UNIT STORES 
SUBKEY DATA SKi 



.S228 



^S229 



i ^S23Q 

.S231 




FIG. 13 



.S232 

RECEIVED = 1 

CONTROL SIGNAL^ 



.S233 



RANDOMIZED DATA STORING 
UNIT OUTPUTS SKO TO THE 
FIRST THIRD, FIFTH .... 
FIFTEENTH ENCRYPTING UNITS 



RANDOMIZED DATA STORING 
UNIT OUTPUTS SKI TO THE 
SECOND, FOURTH, SIXTH .... 
SIXTEENTH ENCRYPTING UNITS 



.S235 



RANDOMIZED DATA STORING 
UNIT OUTPUTS SKO, SKI, .... 
SK15 TO THE FIRST TO 
SIXTEENTH ENCRYPTING 
UNITS 



.S234 



r RETURN ^ 



FIG. 14 



START OF PROCESSING BY 
THE DATA RANDOMIZING UNIT 



SEPARATING UNIT SEPARATES 
64-BIT DATA INTO UPPER 
32-BIT DATA Al AND LOWER 
32-BIT DATA AO 



S252 



DATA JUMBLING UNIT JUMBLES 
DATA Al AND DATA AO TO 
GENERATE 32-BIT DATA CI 



.S253 



LOGICAL XOR UNIT TAKES AN 
XOR FOR DATA Al AND DATA CI 
TO GENERATE SUBKEY DATA BO 



.S254 



COMBINING UNIT COMBINES AO 
AND BO WITH AO AS UPPER 32 BITS 
AND BO AS LOWER 32 BITS TO 
GENERATE 64-BIT RANDOMIZED 
DATA 



( RETURN ^ 



Express Mail Label No. 



Page 1 of 



Docket No. 

NAK1-BM0 8 

Declaration and Power of Attorney For Patent Application 

English Language Declaration 

As a below named inventor, i hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name, 

I believe i am the original, first and sole Inventor (if only one name is listed below) or an original, 
first and joint inventor (if plural names are listed below) of the subject matter which is claimed and for 
which a patent is sought on the invention entitled 

ENCRYPTION METHOD, ENCRYPTION APPARATUS, DECRYPTION METHOD, 
AND DECRYPTION APPARATUS 

the specification of which 

l^^heck one) 

ISl is attached hereto. 

was filed on as United States Application No. or PCT International 

m Application Number 

and was amended on 

Si (if applicable) 

Jhereby state that I have reviewed and understand the contents of the above identified specification, 
OBcluding the claims, as amended by any amendment referred to above. 

ffiacknowiedge the duty to disclose to the United States Patent and Trademark Office all infonnation 
iinown to me to be material to patentability as defined in Title 37, Code of Federal Regulations, 
Section 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, Section 119(a)-(d) or 
Section 365(b) of any foreign application(s) for patent or inventor's certificate, or Section 365(a) of 
any PCT International application which designated at least one country other than the United 
States, listed below and have also identified below, by checking the box, any foreign application for 
patent or inventor's certificate or PCT International application having a filing date before that of the 
application on which priority is claimed. 

Prior Foreign Application(s) Priority Not Claimed 



11-245277 Japan 31 /August/1 999 □ 

(Number) (Country) (Day/MonthA'ear Filed) 

□ 

(Number) (Country) (Day/MonthA'ear Filed) 

□ 

(Number) (Country) (Day/Month/Year Filed) 
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! hereby claim the benefit under 35 U.S.C. Section 119(e) of any United States provisional 



application(s) listed below: 


(Application Serial No.) 


(FilinQ Date) 


(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 



! hereby claim the benefit under 35 U. S. C. Section 120 of any United States application(s), or 
Section 365(c) of any PCT International application designating the United States, listed below and, 
insofar as the subject matter of each of the claims of this application is not disclosed in the prior 
United States or PCT Intemational application in the manner provided by the first paragraph of 35 
y.S.C. Section 112, I acknowledge the duty to disclose to the United States Patent and Trademark 
©fice all infomriation known to me to be material to patentability as defined in Title 37, C. F. R., 
;^ction 1.56 which became available between the filing date of the prior application and the national 
Bf PCT International filing date of this application: 



l=* (Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 


IS (Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 


O (Application Serial No.) 


(Filing Date) 


(Status) 

(patented, pending, abandoned) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that 
such willful false statements may jeopardize the validity of the application or any patent issued 
thereon. 
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POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attomey(sf arrd/or 
agent(s) to prosecute this application and transact all business in the Patent and Trademark Office 
connected therewith, (list name and registration number) 

Joseph W. Price, Reg. No. 25,124 Doyle B. Johnson, Reg. No. 39,240 

Albin H. Gess, Reg. No. 25,726 Michael J. Moffatt, Reg. No. 39,304 

Franklin D. Ubell, Reg. No. 27,009 Bradley D. Blanche, Reg. No. 38,387 



Send Conrespondence to: Joseph w. Price 

PRICE, GESS & UBELL 
2100 S.E. Main St., Ste. 250 

O Irvine, CA 92614 

Idbirect Telephone Calls to: (name and telephone number) 
Joseph W. Price, 949/261-8433 





Full name of sole or first Inventor 

Makoto TATEEAYASHI 








Sole or first inventor's signature ^ 


August ' 


Date 
,2000 




Residence (J 

1-16-21, Mefu, Takarazuka-shi, Hyogo-ken 665-0852 Japan 








Citizenship 

Japan 








Post Office Address 

same as residence 









Full name of second inventor. If any 

Kaoru YOKOTA 

Second inventor's signature ' /TT ~^ 7 Date 

^(^^^ August 1 , 2000 

Residence 

3-9-202, Shinnozuka-cho, Ashiya-shi, Hyogo-ken 659-0016 Japan 

Citizenship ~~~~~~ ~ 

Japan 

Post Office Address ~ ~~~~ 

same as residence 
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- Full name of third inventor, if any 

Motoji OHMORI 



Tiiird inventor's signature ~~~~ ~ ~~ — 

kU:^^ {>^ffv&^ August 1 , 2000 

Residence ^ ~ 

1-9-3-402, Nasuzukuri, Hirakata-shi , Osaka- fu 573-0071 Japan 



Citizenship 
Japan 
Post Office Address 



same as res idence 



Full name of fourth inventor, if any 

Fumihiko SANO 

Fourth inventor's signature ~ ~ ' 

Residence Kureare TosMiDafuchu C-414, Toshiba-cho 2-1, 

Fuchu-shi, Tokyo 183-0043 Japan 

Citizenship ~ ~ 

Japan 

Post Office Address 



August 1 , 2000 



same as residence 



Full name of fifth inventor, if any 

Naoki ENDO 



Fifth inventor's signature ~~ ' ~ ~ g^j^ 

.X/g^-o-Aj-^ ^^O^ August 1, 2000 



Residence 

2-10-56, Nishihara-cho, Fuchu-shi, Tokyo 183-0046 Ja pan 
Citizenship ~~ ~ 

Japan 



Post Office Address 

same as residence 



Full name of sixth inventor, if any 



Sixth inventor's signature 



Post Office Address 
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